PHP security prevention program model
Copy code The code is as follows:
/* PHP anti-injection cross-site V1.0
Add: require(“menzhi_injection.php”);
at the top of your page to prevent SQL injection and XSS cross-site vulnerabilities.
##################Defects and Improvements##################
There are still many defects in the program , I hope you can help improve it
##################References and Acknowledgments##################
Neeao'ASP SQL universal anti-injection program V3.0
Part of the code is referenced from Discuz!
*/
error_reporting(0);
define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc());
$menzhi_injection="'|;|and|(|)|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|or|char|declare";
menzhi_injection = explode("|",$menzhi_injection);
foreach(array('_GET', '_POST', '_COOKIE','_REQUEST') as $_request) {
foreach($$_request as $ _key => $_value) {
//$_value = strtolower($_value);
$_key{0} != '_' && $$_key = daddslashes($_value); ($menzhi_injection as $kill_key => $kill_value) {
if(substr_count($_value,$kill_value)>0) {
echo "";
unset($_value);
exit();
}
}
//echo "
".$_value;
}
}
function daddslashes($string) {
if( !MAGIC_QUOTES_GPC) {
if(is_array($string)) {
foreach($string as $key => $val) {
$string[$key] = daddslashes($val);
}
} else {
$string = addslashes($string);
}
}
$string = preg_replace('/&(((#(d{3,5}) |x[a-fA-F0-9]{4}));)/', '&\1',str_replace(array('&', '"', '<', '>'), array('&', '"', '<', '>'), $string));
return $string;
}
?>
Instructions for use
Add: "require("menzhi_injection.php");" at the top of your page to prevent SQL injection and XSS cross-site vulnerabilities. To call this program, we use require() instead of include(), because if an error occurs in the file called by require(), the program will be terminated, and include() will ignore it. And when require() calls a file, the external file will be called first as soon as the program is run. Inculde() only starts execution when it reaches this line. Based on the function characteristics, we choose require(). You can also add or delete filter characters in the $menzhi_injection variable according to actual needs to achieve better defense effects. Furthermore, you can modify the code yourself, and you may gain unexpected results. Ordinary injections can be defended. The following test is just for ridicule. The following is the test effect of a one-sentence Trojan:
Hehe, if you are tempted, just call it at the top of your page. Remember "require("menzhi_injection.php");" Oh. This is just a gimmick to arouse everyone's interest, please test it yourself.
Defects and improvements to be made
Since this program is only an external call, it only handles externally submitted variables, and does not conduct a systematic analysis of your application, so it has many limitations, so please use it with caution. For programs that use GBK encoding, there is also the risk of double-byte encoding vulnerabilities. Although this program can handle this vulnerability. But to curb these loopholes, we still need to start from the root cause. Need to handle the database connection file, we can add character_set_client=binary. The database connection class db_mysql.class.php of Discuz!7.0 is very well written and you can refer to it. Of course, these are not the scope of this small program.
And this program does not filter the $_SERVER $_ENV $_FILES system variables. For example, when the $_SERVER['HTTP_X_FORWARDED_FOR'] system obtains the IP, hackers can change its value by hijacking and modifying the original HTTP request packet. This program can handle these vulnerabilities. But as programmers, what we need is to deal with external variables from the root cause, take precautions before they happen, and take precautions.
The program is very messy. Everyone is welcome to test it. If you have any comments or suggestions, please contact me directly.
Conclusion
Finally, I wish you all success in your studies and work, and pay tribute to all the hard-working PHPers.
http://www.bkjia.com/PHPjc/320673.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/320673.htmlTechArticlePHP security prevention program model copy code code is as follows: /* PHP anti-injection cross-site V1.0 on your page Add: require(“menzhi_injection.php”); at the top to achieve universal prevention of SQL injection,...